with Firefox it's easy to export the used SSL certificate of a page as x509 with all intermediate certificates as *.crt.
I'm in the need to do the same by converting *.pem files to *.crt as a non-binary format using openssl.
These are the current certs in use by apache:
SSLCertificateFile /etc/apache2/ssl/cert-start.pem
SSLCertificateKeyFile /etc/apache2/ssl/key-no-pw.pem
SSLCACertificateFile /etc/apache2/ssl/cert-bundle.pem
I can easily convert the SSLCertificateFile
to crt with:
openssl x509 -in cert-start.pem -out cert-start.crt
To build the crt with full chain I've tried -chain
, -clcerts
without luck.
What is the correct way for including all intermediate certificates from SSLCACertificateFile /etc/apache2/ssl/cert-bundle.pem
as well?
Best Answer
in case it would contain also the key (in some cases it is needed but depends on usage) ot would be
In case you would check the output you will see something like this (in case of chain.pem):
And in case of of full_chain.pem it will be something like this:
In case you would "check" it using
openssl x509 -in chain.pem
you will see just the first (in this case server) certificate. All the rest will be handled as comment - ignored. You have to separate it to extra file or just print specific line range via pipe to openssl to see the content. The real check can be done "visually" using cat or some text editor you prefer... Once the application expect pem / crt file this is what you need.In case you would like to handle it as "container" the proper form is pkcs12. There you can handle it as set of certificates and handle it that way and see it / import it. The command would be in that case
The pkcs12 output can be checked using command
Please note that "correct" format (p12 or pem / crt) depends on usage.